User.ReadBasic.All scope not granted, v2 - javascript

I'm trying to request the following 3 scopes for oauth from the v2 Azure directory: user.read, user.readbasic.all, calendars.readwrite.
My authorization GET request is
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?'
+ '&client_id=myclientid'
+ '&response_type=code'
+ `&redirect_uri=myredirecturl`
+ '&response_mode=query'
+ '&scope=user.read%20user.readbasic.all%20calendars.readwrite'
+ '&prompt=consent';
Notice I've ruled out having changed consent type since the last authorization was made.
I successfully get a code, and exchange that for a token:
axios.post(
'https://login.microsoftonline.com/common/oauth2/v2.0/token',
querystring.stringify(
{
client_id: my_client_id,
client_secret: my_app_secret,
grant_type: 'authorization_code',
code,
scope: 'user.readbasic.all user.read calendars.readwrite',
redirect_uri: my_redirect_url
},
null,
null,
{ encodeURIComponent: s => encodeURI(s) }
)
);
I am not seeing any consent message for user.readbasic.all on login
I am not receiving User.ReadBasic.All in the response for the scope of the token I'm rewarded.
I am receiving user.read and calendars.readwrite
Update
I Believe i'm narrowing down the problem to changing scopes or tenant type. Although I have prompt=consent as a param, I am not getting the user.readbasic.all scope on my personal account. When I send the authorization link to others in organization tenants, they get the full list of permissions. Why are there two different permission pages for different users? Two screenshots:

The stringify() method is converting your object into application/json. This is incorrect, it should be application/x-www-form-urlencoded.
For details on how to do this with Axios, see this GitHub Issue.
Also, personal accounts (MSAs) can't "Read all users' basic profiles". As a "personal" account, there is only one user associated.

Related

Refresh token for Google OAuth 2.0

I have an application that uses Google APIs in some places, and I want to avoid having the user login every time. Currently, I only receive a Google access token in the response, not a refresh token. How can I obtain the refresh token?
This is the function I use to when the user click to login with google:
authenticate() {
const client = google.accounts.oauth2.initTokenClient({
client_id: 'MY_CLIENT_ID',
scope: [
"All_NECESSARY_SCOPES",
].join(" "),
callback: (res) => {
this.accessToken = res.access_token
this.loadClient()
}
})
client.requestAccessToken()
},
It works for getting the access token. And I need the refresh token, Please Help Me :)
Client side JavaScript does not return a refresh token. It would be a security risk.
If you want a refresh token you need to use a server sided language like Node.js

How to get authorization_code from Gmail API in angular 5 app

I am working in an Angular app, I want to add Gmail in this Angular app.
I have followed this tutorial https://medium.com/#mcflyDev/angular-2-or-4-import-google-contacts-d0ffb13d8626
everything is working fine and I am getting the success response with access_token but I am not getting authorization_code.
How can I get authorization_code?
Here is my configuration:
this.auth2 = gapi.auth2.init({
client_id: 'bla-bla-bla-2.apps.googleusercontent.com',
cookiepolicy: 'single_host_origin',
scope: 'https://www.googleapis.com/auth/gmail.readonly',
access_type: 'offline',
response_type: 'code',
auth_uri: 'https://accounts.google.com/o/oauth2/v2/auth',
prompt: 'select_account',
include_granted_scopes: true,
grant_type: 'authorization_code',
});
Also, I am also not getting refresh_token, as you can see I have already set access_type: 'offline'.
I am getting this response as shown in the above image.
Thanks.
I got the solution. Earlier I was making a POST Ajax call but that was not required.
We just need to do a small setup in 2 steps:
Step 1. Prepare a URL:
The URL should look like this:
https://accounts.google.com/o/oauth2/auth?redirect_uri=:your_redirect_url&response_type=code&client_id=:your_client_id&scope=https://www.googleapis.com/auth/gmail.send&approval_prompt=force&access_type=offline
You can paste this URL in your browser and hit enter to check it is working.
Step 2. Create an anchor tag in HTML:
Connect With Gmail
Congratulations!!! You have done.
Whenever user will click on this link, Google will ask for permission for the provided scope and if the access is granted by the end user then Google will redirect to the given redirect_url with the authorization_code in the query param.
Then on the server side, you will need to make another API call with this authorization_code then Google will provide access_token and refresh_token.
Thanks, I hope it will help.
#Arpit Meena
I found another solution:
On button "Connect With Gmail" click I run this.auth2.grantOfflineAccess().
It fires google account choose popup and immediately after that popup to grant privileges to scopes. It returns authorization_code which I can use to get refresh_token and access_token in my API ($gClient->authenticate($code);).
This is the one i found best to get auth code by use of js client library.
rest on g-site only http/rest method is mentioned.
function initClient() {
gapi.client.init({
apiKey: API_KEY,
clientId: CLIENT_ID,
discoveryDocs: DISCOVERY_DOCS,
scope: SCOPES,
access_type:'offline',
include_granted_scopes: true
}).then(function () {
offinebutton.onclick = offlinefunction;
}, function(error) {
appendPre(JSON.stringify(error, null, 2));
});
}
function offlinefunction() {
gapi.auth2.getAuthInstance().grantOfflineAccess().then(function(resp) {
console.log(resp.code)
});
}

instafeed.js stopped working: The access_token provided is invalid

I am using instafeed.js like so:
var feed = new Instafeed({
get: 'user',
userId: 19191919191,
limit: 9,
accessToken: 'myaccesstokenhere',
target: 'instagram',
resolution: 'standard_resolution',
after: function() {
var el = document.getElementById('instagram');
if (el.classList)
el.classList.add('show');
else
el.className += ' ' + 'show';
}
});
but I am getting this error:
The access_token provided is invalid.
I got the access_token by https://www.instagram.com/developer I registered my application and put the Client Secret as the accessToken and I got my userID from here https://smashballoon.com/instagram-feed/find-instagram-user-id/
but its still saying The access_token provided is invalid. what am I doing wrong?
You cannot use your Client Secret in place of accessToken, as the Client Secret is used server-side as part of the OAuth process in order to get the user accessToken.
I suggest reviewing Instagram's Authentication docs here to be sure you're using the Authentication strategy that makes sense for your application.
It sounds like you're more likely to want to use their Client Side Implicit Authentication (at the bottom) to get an access token. You can even do this yourself manually to just get an accessToken for testing. Once you have the accessToken, then you can simply use that in the correct field for instafeed.js to load what you want from Instagram.
You can also just get your own accessToken by going to http://instagram.pixelunion.net/ and using the one generated there.
Seems you confused accessToken with Client Secret, check it here https://www.instagram.com/developer/authentication/
To make life easy you can try to generate one here http://instagram.pixelunion.net/

Auth0 email confirmation, how to handle registration gracefuly

I am using auth0.
My app requires users to confirm their email.
When a user registers, he receives this alert:
Error: unauthorized. Check the console for further details.
This is because the user has not yet verified his email.
How do I "catch" this event / alert in order to redirect the user to a view of my choice?
Thank you for your help
There is a couple of different parts to this.
1). have you enabled the email verified rule? (it is a template available from Auth0 dashboard -
function forceEmailVerification(user, context, callback) {
console.log("force-email-verification");
if(context.connection !== "MyDB") {
return callback(null, user, context);
}
if (!user.email_verified) {
return callback(new UnauthorizedError('Please verify your email before logging in.'));
} else {
return callback(null, user, context);
}
}
That effectively raises an exception in the Rules pipeline if email not verified. It will return the error to your application on the callbackUrl you provide as two query params - error and error_description. It is then up to you how you handle this - Here is a sample Node.js application I wrote specifically to illustrate how this works - In the sample, i am using some express middleware to check for the error and error_description and forward to a Custom controller / view if detected.
2). Only if needed, you can also explicitly trigger an email verification email. It is a POST request to https://{{tenant}}.auth0.com/api/users/{{user_id}}/send_verification_email
endpoint, passing an Authorization Bearer header with an Auth0 APIv1 token (and empty body). The token can be obtained by making a POST request to https://{{tenant}}.auth0.com/oauth/token endpoint passing body of the form:
{
"client_id": "{GLOBAL CLIENT ID}",
"client_secret": "{GLOBAL CLIENT SECRET}",
"grant_type": "client_credentials"
}
You can get the global client id and client secret under account settings -> advanced from Auth0 dashboard. Please do NOT store any secrets on SPA apps etc - using this endpoint should only be done from Client Confidential / Trusted applications (e.g traditional MVC webapp you own).
Hope this helps. Please leave comments if anything unclear.

Status 401 on final payment completion issue

I am getting an error on the final stage of a Paypal payment, when I execute the it. As far as I can see, its correct, I have no errors, but this is what it returns:
{"body":"","headers":{"Content-Type":"application/json","Date":"Mon, 30 Jun 2014 18:10:56 GMT","Content-Length":"0","PROXY_SERVER_INFO":"host=slcsbjava1.slc.paypal.com;threadId=911","Paypal-Debug-Id":"b190b1adb3748","Server":"Apache-Coyote/1.1"},"status":401}
This is the code I am using:
execute = XHR.send('POST', 'https://api.sandbox.paypal.com/v1/payments/payment/' + ppid[0].paymentid + '/execute', {
"header": {
"Authorization": "Bearer " + auth,
"Content-Type" : "application/json"
},
"parameters": {
"payer_id": pid
}
});
console.log(execute);
I cannot see what the Paypal debug means, and I have looked it up, but mostly I see PHP issues rather than JS and cURL.
I saw on a post confusing REST API with Classic, but I have taken the instructions from the interactive guide by Paypal: https://devtools-paypal.com/guide/pay_paypal/curl?interactive=OFF&env=sandbox
Can anyone help me with this ?
UPDATE
Found out with debugging auth was empty, so I fixed it, and now getting a new error which is this:
Error: {"message":"com.mongodb.BasicDBList cannot be cast to java.util.Map","code":"0"} ( # 8 : 45 ) -> var innerResult = GlobalXHRInner.send(method, url, GlobalJSON.stri
This error changes depending on how I send the final headers and parameters:
var newauth = "Bearer " + ppid[0].auth;
var info = {"headers": [{"Authorization": "'+newauth+'", "Content-Type" : "application/json"}], "parameters": [{"payer_id": "'+pid+'"}]};
console.log(info);
execute = XHR.send('POST', 'https://api.sandbox.paypal.com/v1/payments/payment/' + ppid[0].paymentid + '/execute', info );
console.log(execute);
response.success(execute);
If I change :
var info = {"headers": [{"Authorization": "'+newauth+'", "Content-Type" : "application/json"}], "parameters": [{"payer_id": "'+pid+'"}]};
to this:
var info = '{"headers": [{"Authorization": "'+newauth+'", "Content-Type" : "application/json"}], "parameters": [{"payer_id": "'+pid+'"}]}';
By adding the quote, I get a invalid object error, which I have checked with a json validator and passed. Really confused by these errors as I followed the guide :(
This error message according to the PayPal documentation means this:
Authentication Errors
HTTP Status Code: 401
Authentication errors are often caused by issues related to access tokens:
Ensure the access token is included and correct.
Ensure the access token hasn’t expired.
PayPal Developer API Call Information
Here is additional information on Access tokens from PayPal Developer Access Token:
When you make the API calls, make request by adding the access token in the ‘Authorization’ header using the following syntax (as defined in the OAuth 2.0 protocol):
Authorization: {tokenType} {accessToken}
Example: Authorization: Bearer EEwJ6tF9x5...4599F
Access token validity and expiration
PayPal-issued access tokens can be used to access all the REST API endpoints. These tokens have a finite lifetime and you must write code to detect when an access token expires. You can do this either by keeping track of the ‘expires_in’ value returned in the response from the token request (the value is expressed in seconds), or handle the error response (401 Unauthorized) from the API endpoint when an expired token is detected.

Categories